IT Central Station is now PeerSpot: Here's why

RSA NetWitness Endpoint OverviewUNIXBusinessApplication

RSA NetWitness Endpoint is #17 ranked solution in EDR tools and #29 ranked solution in endpoint security software. PeerSpot users give RSA NetWitness Endpoint an average rating of 8 out of 10. RSA NetWitness Endpoint is most commonly compared to Microsoft Defender for Endpoint: RSA NetWitness Endpoint vs Microsoft Defender for Endpoint. RSA NetWitness Endpoint is popular among the large enterprise segment, accounting for 64% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 28% of all views.
Buyer's Guide

Download the Endpoint Protection for Business (EPP) Buyer's Guide including reviews and more. Updated: June 2022

What is RSA NetWitness Endpoint?
RSA NetWitness Endpoint is an endpoint detection and response solution that employs a combination of live memory analysis, continuous behavioral monitoring, and advanced machine learning to detect known, new, unknown, and non-malware threats that other solutions miss entirely. RSA NetWitness Endpoint helps focus investigations amid thousands of alerts and offers 3X the impact for security teams by considerably reducing attacker dwelltime and accelerating threat response.

RSA NetWitness Endpoint was previously known as RSA ECAT.

RSA NetWitness Endpoint Customers
ADP, Ameritas, Partners Healthcare
RSA NetWitness Endpoint Video

RSA NetWitness Endpoint Pricing Advice

What users are saying about RSA NetWitness Endpoint pricing:
  • "The cost depends on the number of endpoints that you want to monitor, but it is not expensive."
  • "The price of the solution depends on the environment. If the environment is large then it will cost more. However, the larger the environment with more endpoints, you will receive an increased discount. If the environment is very small, then you might think it is expensive. It is always better to buy in bulk to receive a discount. The minimum number of assets is usually 500, with discounts on 1000 and 2000."
  • RSA NetWitness Endpoint Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    Dr Trust Tshepo Mapoka - PeerSpot reviewer
    Senior Cybersecurity Consultant at CIA Botswana
    Real User
    Top 5
    Good performance and reporting, and can discover unknown malware using signatureless detection methods
    Pros and Cons
    • "This solution allows us to locate the malware in real-time."
    • "I would like to see Security Orchestration and Response Automation (SOAR) integration."

    What is our primary use case?

    We use this solution to detect indicators of compromise, where incidents that occur are analyzed and given risk scores. For example, if the endpoint is of high risk then it will be indicated in red. By contrast, if it's of low risk then it will be indicated in green. The scoring criteria are what we call the Indicators of Compromise. The overall goal is to detect malware that is affecting the endpoints and then provide a response. It is often used by banks and telecom companies.

    What is most valuable?

    The incident response is very good. When you are searching for malware, you can easily decrease the endpoints to narrow the search and find it. Examples of endpoints can be servers or laptops, each with different operating systems. This solution allows us to locate the malware in real-time. I like the performance. It can detect signatureless malware, which many perimeter control and antivirus solutions cannot do. It is helpful for discovering unknown malware and it is so lightweight that you don't even notice that it is installed in your environment. It doesn't load the network and it uses less bandwidth than some other products. The reporting is perfect and I haven't seen any problems with it. RSA can easily integrate with third-party applications like Rapid7. All of the documentation for integration with other platforms and other vendors is available. The API makes integration even easier.

    What needs improvement?

    I would like to see Security Orchestration and Response Automation (SOAR) integration. This way, if there is an endpoint that has been compromised, you don't have to go about repairing or blacklisting it manually. Ideally, the system can have its own intelligence so that it can perform automated tasks without human intervention. One of the drawbacks of using this product is that when you deploy, you have to create MSI files. These files have to be created for different operating systems, which means that you have to be conscious of which ones exist in your environment. For example, if you have Linux, MacBooks, and Windows machines, then you have to have MSI files created for each of them. Ideally, a single MSI file would be created to support deployment on any of the supported operating systems.

    For how long have I used the solution?

    I have been working with RSA for more than four years.
    Buyer's Guide
    Endpoint Protection for Business (EPP)
    June 2022
    Find out what your peers are saying about RSA, VMware, CrowdStrike and others in Endpoint Protection for Business (EPP). Updated: June 2022.
    607,127 professionals have used our research since 2012.

    What do I think about the stability of the solution?

    This product is very stable. It gives you real-time data if there's an endpoint being compromised. It is not a heavy platform.

    What do I think about the scalability of the solution?

    NetWitness Endpoint is very scalable.

    How are customer service and support?

    The technical support from RSA is 100%. They are available 24/7 and I am very satisfied with them.

    How was the initial setup?

    The initial setup is straightforward.

    What about the implementation team?

    I was working with another technical consultant and the two of us made up the team that implemented this solution. The last project that I was working on was larger in size and spanned over a two-month period. For the RSA NetWitness Endpoint component, it took between five and ten days to deploy, which included documentation. One consultant is all that is needed to deploy it, as long as they understand the expectations held by the customer.

    What's my experience with pricing, setup cost, and licensing?

    This is not an expensive product. The cost depends on the number of endpoints that you want to monitor, but it is not expensive.

    Which other solutions did I evaluate?

    There are several SIEM technologies that are available but one advantage of using RSA NetWitness is that you don't have to outsource the EDR component. It comes as part of the platform. This is in contrast to solutions like IBM QRadar, where you have to outsource the EDR. In a further comparison with QRadar, it doesn't give accurate results because there are a lot of false positives.

    What other advice do I have?

    This is a product that I recommend. My advice for anybody who is implementing it is to make sure that they have somebody who understands it very well. Having somebody who will configure it properly is the right way to have it generate the output that you want. Also, you have to make sure that all of the endpoints are up to date. They have to be online all of the time so that you're able to have visibility on any compromises that may happen. If an endpoint is instead offline, it becomes difficult to investigate or to monitor compromises or malware. I would also suggest deploying a virtual environment. By doing so, it can be cloud-based, and what you need to do is called Event Source Onboarding. This is the process whereby you are providing the consultant with the events that you want to collect data from. In my opinion, this is the best platform, world-wide, and I am happy with it. I would rate this solution a ten out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Dr Trust Tshepo Mapoka - PeerSpot reviewer
    Senior Cybersecurity Consultant at CIA Botswana
    Real User
    Top 5
    Overall great feature functionality, simple installation, and helpful technical support
    Pros and Cons
    • "They have recently updated the features and the most valuable ones are the instant threat response, ease of use, web interface, integration, and easy access. RSA NetWitness Endpoint is very compatible with other solutions and technologies. However, they do not rely on third-party solutions and have most features built-in."

      What is our primary use case?

      RSA NetWitness Endpoint is used to get an instant detection response from network threats. Additionally, it has the capability to do malware analysis and investigations.

      How has it helped my organization?

      RSA NetWitness Endpoint has helped our organization from its many advantages and because it provides overall visibility of all of our endpoints within the enterprise network. You are able to see what exactly is going on and it provides real-time incident reports, instant management, and investigations.

      What is most valuable?

      They have recently updated the features and the most valuable ones are the instant threat response, ease of use, web interface, integration, and easy access. RSA NetWitness Endpoint is very compatible with other solutions and technologies. However, they do not rely on third-party solutions and have most features built-in.

      For how long have I used the solution?

      I have been using RSA NetWitness Endpoint for approximately six years.

      What do I think about the stability of the solution?

      The solution is very stable and does not overwhelm the network.

      What do I think about the scalability of the solution?

      The solution is highly scalable and is easy to scale.

      When comparing RSA NetWitness Endpoint to Splunk, we have found Splunk is missing some features. For example, the user identity and analytics capabilities are not available with Splunk. You will have to depends on third-party tools to provide those features. What makes Splunk very good is that it is dependent on third parties but all those third parties have to integrate together. Splunk should have someone who is very good at API integration to be able to integrate all the third-party tools, otherwise, the solution will not work well.

      We have approximately six people using this solution in my organization.

      How are customer service and technical support?

      The annual license comes with free online support and all you do is open a ticket through the 24/7 support. The support is very good and they provide different levels of incident priority, such as level one and high priority level, they typically respond within 24 hours.

      How was the initial setup?

      The installation was simple.

      What about the implementation team?

      We did the implementation of the solution ourselves. The vendor provides the datasheet manuals which are readily available online. They are easy to follow to complete the implementation.

      We have a license for the vendor to do maintenance.

      What's my experience with pricing, setup cost, and licensing?

      There are different licenses available for the use of this solution. The license that comes with support is more expensive than the basic license. 

      The price of the solution depends on the environment. If the environment is large then it will cost more. However, the larger the environment with more endpoints, you will receive an increased discount. If the environment is very small, then you might think it is expensive. It is always better to buy in bulk to receive a discount. The minimum number of assets is usually 500, with discounts on 1000 and 2000.

      The perpetual license is not good because it does not cover maintenance, you have to pay maintenance separately. However, they are slowly moving away from perpetual licenses and there will only be annual licensing for your subscription.

      Which other solutions did I evaluate?

      I have evaluated Splunk.

      What other advice do I have?

      Those looking to implement RSA NetWitness Endpoint should do a comprehensive assessment of their environment to check whether they really need the solution. Sometimes you buy the solution and you do not have the right people to use it. Ensure that you invest in the right expertise to use it because after you invest in people, then you invest also in the processes and technologies. If you have the technology but and you do not have the expertise to operate the solution it will not be useful.

      I rate RSA NetWitness Endpoint a ten out of ten.

      Which deployment model are you using for this solution?

      On-premises
      Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
      Buyer's Guide
      Endpoint Protection for Business (EPP)
      June 2022
      Find out what your peers are saying about RSA, VMware, CrowdStrike and others in Endpoint Protection for Business (EPP). Updated: June 2022.
      607,127 professionals have used our research since 2012.
      HananSyed - PeerSpot reviewer
      Cyber Security Consultant at Mideast Data Systems
      Real User
      Top 5
      Scalable and useful single location management
      Pros and Cons
      • "The stability of the RSA NetWitness Endpoint is very good."
      • "The threat intelligence could improve in RSA NetWitness Endpoint."

      What needs improvement?

      The threat intelligence could improve in RSA NetWitness Endpoint.

      For how long have I used the solution?

      I have been using RSA NetWitness Endpoint for approximately seven years.

      What do I think about the stability of the solution?

      The stability of the RSA NetWitness Endpoint is very good.

      What do I think about the scalability of the solution?

      RSA NetWitness Endpoint is a scalable solution. However, the problem which we normally face is in terms of the migration of the solution. This solution has hard-coded IP addresses in its agents. When somebody wants to migrate from one data center to another data center, they have to reinstall all the agents. They can't change the hard-coded IP address to allow communication with the target server. That is the largest problem of the solution. Otherwise, in terms of scalability, it's fine.

      If they are able to provide provisioning of the IP address change in the agents only when somebody migrates the hardware appliances from one data center to another data center. It would be a great improvement for those who want to migrate.

      What other advice do I have?

      I would recommend others to use RSA NetWitness Endpoint at this time because they have evolved from an MD to an EDR solution to an XDR solution. They have a single solution in which they can pivot from the NetWitness to the endpoint. Everything is combined in a single pane of glass.

      Earlier, they used to have distinct solutions. The NetWitness EDI used another pane of glass and then the EDR used a different one. Now the EDR and MDR have been combined into a single solution. That is an advantage from the security perspective. They can use a lateral movement and see all aspects in a single pane of glass. It's an easy investigation for everyone. I would definitely recommend this solution.

      I rate RSA NetWitness Endpoint an eight out of ten.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      Flag as inappropriate
      Security information and incident handling. at a financial services firm with 501-1,000 employees
      Real User
      Provides great protection against malicious files

      What is our primary use case?

      We are customers of RSA.

      What is most valuable?

      The valuable feature is being able to isolate the machine when there are malicious files.

      What needs improvement?

      The solution doesn't have a reporting engine which would be helpful. I've also found that the UI times out too quickly and you have to close and reopen. It should allow for a longer session time.

      For how long have I used the solution?

      I've been using this solution for four years. 

      What do I think about the stability of the solution?

      The solution is stable. 

      What do I think about the scalability of the solution?

      The solution is scalable in terms of coverage. We have more than 2500 endpoints with different levels of users and operating systems. 

      How are customer service and support?

      Custome support is very good in terms of the knowledge base but the response time is too long. It can sometimes take two days before you get a reply. 

      How was the initial setup?

      The initial setup was relatively straightforward because we only had to provision the SQL server and then run the setup. We deployed in-house with a DBA and the deployment took a day. We have an external maintenance contract.

      What was our ROI?

      We've seen a good ROI. 

      What other advice do I have?

      I rate this solution eight out of 10. 

      Which deployment model are you using for this solution?

      On-premises
      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      Flag as inappropriate
      Buyer's Guide
      Download our free Endpoint Protection for Business (EPP) Report and find out what your peers are saying about RSA, VMware, CrowdStrike, and more!
      Updated: June 2022
      Buyer's Guide
      Download our free Endpoint Protection for Business (EPP) Report and find out what your peers are saying about RSA, VMware, CrowdStrike, and more!